7. F.Balarin and A.Sangiovanni-Vincentelli, A Verication Strategy for Timing-

Transcription

1 7. F.Balarin and A.Sangiovanni-Vincentelli, A Verication Strategy for Timing- Constrained Systems, Proc. 4th Workshop Computer-Aided Verication, Lecture Notes in Computer Science 663, Springer-Verlag, T. Henzinger, Z. Manna and A. Pnueli, What Good are Digital Clocks?,Proc. 19th ICALP, Lecture Notes in Computer Science, Springer-Verlag, T.A. Henzinger, X. Nicollin, J. Sifakis and S.Yovine, Symbolic model-checking for real-time systems, Proc. 7th Symp. on Logics in Computer Science, IEEE Computer Society Press, Y. Kesten, A. Pnueli, J. Sifakis and S. Yovine, Integration graphs: a class of decidable hybrid systems, Workshop on Theory of Hybrid Systems, Lyngby, Denmark, October O. Maler, Z. Manna and A. Pnueli, From Timed to Hybrid Systems, Proc. REX Workshop on Real-Time: Theory in Practice, Lecture Notes in Computer Science 600, Springer-Verlag, The Netherlands, June J. A. Mcmanis, Verication and Control of Real-Time Discrete Event Dynamical Systems, Ph.D Thesis, Department of Electrical Engineering and Computer Science, niversity of California, Berkeley, X.Nicollin, A.Olivero, J. Sifakis and S. Yovine, An Approach to the Description and Analysis of Hybrid Systems, Workshop on Theory of Hybrid Systems, Lyngby, Denmark, October X. Nicollin and J. Sifakis, An overview and synthesis on timed process algebras,proc. 3rd Workshop Computer-Aided Verication, Denmark, July A. Puri, Real-Time Systems: Discrete Time vs. Dense Time, npublished, May A. Puri and P. Varaiya, Modeling and Verication of Hybrid Systems, Preprint. 17. Proc. REX Workshop on Real-Time: Theory in Practice, Lecture Notes in Computer Science 600, Springer-Verlag, The Netherlands, June This article was processed using the LaT E X macro package with LLNCS style

2 Proof: 2 L(H D ) ( 2 L(H C )) provided there is a sequence =< D(l 0 ); 0 ; 0 >< D(l 1 ); 1 ; 1 > : : : which is discrete-time (continuous-time) consistent. As discussed at beginning of Sect. 3, every discrete-time consistent sequence is continuoustime consistent. From Lemma 3 - Lemma 7, every continuous-time consistent sequence is also discrete-time consistent. Thus 2 L(H D ) i 2 L(H C ). Theorem 9. L(H D ) is a regular language. Proof: We will construct a nite state automaton which generates L(H D ). Let M j be the largest integer with which x j is compared or initialized, and m j, the smallest such integer. Dene 0 j = f<g [ fm j ; m j + 1; : : :; M j g [ f>g, 0 = n, and the nite set of states Q = L 2 0. The nite state automaton H D = (Q; 6;!) where the transition relation! Q Q is dened as: (l; v)! (l; v 0 ) where vj 0 < =00 00 when v j = 00 < 00 or v j + w < m j for some w 2 D(l) j 1; vj 0 > =00 00 when v j = 00 > 00 or v j + w > M j for some w 2 D(l) j 1; vj 0 2 fm j; m j + 1; : : :; M j g when vj 0 0 v j 2 D(l) j 1. (l; v)! (l 0 ; v 0 ) provided (l; l 0 ; ; ; ) 2 ; v 2 ; and vj 0 2 ( j[v j ]) 1. The rst part of the denition represents passage of 1 time and the second is an instantaneous transition. It is not necessary to keep track of x j when it exceeds M j. This is clear when _x j 2 [L j ; j ] where L j ; j 0 because once x j exceeds M j, it can become less than M j only by being initialized. But it remains true even when L j 0 and j 0 because any trajectory which exceeds M j and then falls below it can be replaced by another which stays at M j. Similar reasoning applies to m j. Theorem 10. L(H C ) is a regular language Proof: From Theorem 8 and Theorem 9. References 1. R.Alur, C.Courcoubetis, T.A. Henzinger and P.-H. Ho, Hybrid automata: an algorithmic approach to the specication and analysis of hybrid systems,workshop on Theory of Hybrid Systems, Lyngby, Denmark, October R. Alur and D. Dill, Automata for modeling real-time systems, Proc. 17th ICALP, Lecture Notes in Computer Science 443, Springer-Verlag, R.Alur and T.Henzinger, Logics and models of real-time: A survey, Proc. REX Workshop Real-Time: Theory in Practice, Lecture Notes in Computer Science 600, Springer-Verlag, The Netherlands, June R. Alur, T.A. Henzinger and P.-H. Ho, Automatic symbolic verication of embedded systems, Proc. of the 14th Annual Real-time Systems Symposium, IEEE Computer Society Press, R.Alur, A.Itai, R.Kurshan and M.Yannakakis, Timing Verication by Successive Approximation, Proc. 4th Workshop Computer-Aided Verication, Lecture Notes in Computer Science 663, Springer-Verlag, D. Dill, Timing Assumptions and verication of nite-state concurrent systems, Automatic Verication Methods for Finite-State Systems, Lecture Notes in Computer Science 407, Springer-Verlag, 1989.

3 k+1 k x x k-1 a a b t 1 t 1 t t2 2 c Fig. 5. Creating a Trajectory with Discretized Times Lemma 6. If a trajectory x satises at times T 0 ; T 1 ; T 2 ; : : :, then there is a trajectory x 0 which satises at times bt 0 c; bt 1 c; bt 2 c; : : :. Proof: Given x i on [0; T k1 ][T k1 ; T k2 ]; : : : where T kj are times at which x i is initialized and x i is continuous on interval [T kj ; T kj+1 ] with _x i 2 [L j ; j ] (x i maybe discontinuous because it could get initialized to a new value at T kj ). The x 0 i on [0; bt k1 c][bt k1 c; bt k2 c]; : : : from Lemma 5 satises at times bt 0 c; bt 1 c; bt 2 c; : : :. Since for i = 1; : : :; n, x 0 i satises at bt 0c; bt 1 c; bt 2 c; : : :, we get x 0 satises. Lemma 7. If a continuous trajectory x satises at times bt 0 c; bt 1 c; bt 2 c; then the discrete trajectory x d where (x d ) i (k1) = bx i (k1)c also satises at times bt 0 c; bt 1 c; bt 2 c : : :. Proof: x d satises the enabling conditions since k x i (bt j c) l implies k bx i (bt j c)c l for k; l 2 Z. Furthermore (x d ) i also satises the dierence inclusion constraints because implies. Theorem 8. L(H C ) = L(H D ) L x i((k + 1)1) 0 x i (k1) 1 L bx i((k + 1)1)c 0 bx i (k1)c 1

4 k+1 x x k tj tj tj+1 tj+1 Fig. 4. Discretized Times for Trajectory with Integer End-Points Proof: Since for > 0, we get x i (t j+1 ) 0 x i (t j ) L x i(t j+1 ) 0 x i (t j ) t j+1 0 t j = l 0 k = m1 bt j+1c 0 bt j c where m 2 Z. Since x 0 i (bt j+1c) = x i (t j+1 ) and x 0 i (bt jc) = x i (t j ), we get x 0 i (bt j+1c) 0 x 0 i (bt jc) bt j+1 c 0 bt j c Similar proof holds when 0. Similarly L x0 i (bt j+1c) 0 x 0 i (bt jc) bt j+1 c 0 bt j c Lemma 5. Given a dierentiable function x i on [b; c] with _x i 2 [L; ], there is a function x 0 i on [bbc; bcc] with _x0 i 2 [L; ] such that for j; k 2 Z, j x i (t) k implies j x 0 i (btc) k (Fig. 5). Proof: We look at the integer crossing points of x i (Fig. 5). sing consecutive integer crossing points t 1 ; t 2, from Lemma 4, we obtain x 0 i on [bt 1c; bt 2 c] where _x 0 i 2 [L; ]. For t 2 [t 1; t 2 ] and j; k 2 Z, j x i (t) k implies j x 0 i (btc) k. In case x i (b) is not an integer, we extend x i to a < b (keeping _x i 2 [L; ]) so that x i (a) is an integer and then reason as above. Similar reasoning applies if x i (c) is not an integer. After obtaining x 0 i, we restrict it to [bbc; bcc].

5 We show L(H C ) = L(H D ) by proving a sequence =< D(l 0 ); 0 ; 0 >< D(l 1 ); 1 ; 1 > : : : is discrete time-consistent i it is continuous-time consistent. A discrete-time consistent sequence has a discrete trajectory x d. The continuous trajectory x c obtained by linear interpolation from x d also satises the constraints of. Therefore, every discrete-time consistent sequence is also continuous-time consistent. The converse, that a continuous-time consistent sequence is also discrete-time consistent, is more dicult to prove. Lemma 3 states that a sequence with continuous trajectory will also have a piece-wise linear trajectory satisfying it (Fig. 3). Lemma 4 shows that continuous trajectory x i on [t j ; t j+1 ] with integer end points can be made into a trajectory on [bt j c; bt j+1 c] with same integer end points (Fig. 4). In Lemma 5 and Lemma 6, we show that for a sequence and a continuous trajectory satisfying it at T 0 T 1 T 2 : : :, there is another continuous trajectory which satises it at bt 0 c; bt 1 c; bt 2 c; : : :. In Lemma 7, we nally show that there is a discrete trajectory x d which also satises. x j T T T time Fig. 3. Mean-Value Theorem Lemma 3. If a sequence =< D(l 0 ); 0 ; 0 >< D(l 1 ); 1 ; 1 > : : : has a continuous trajectory, then it also has a piecewise linear trajectory (Fig. 3). Proof: Suppose x satises at T 0 T 1 T 2 : : :,then form x 0 by linear interpolation between points x(0); x(t 0 ); x(t 1 ); : : :. From the Mean-Value theorem, it follows x 0 satises. Lemma 4. Given a dierentiable function x i on [t j ; t j+1 ] with _x i 2 [L; ] and x i (t j ) = k; x i (t j+1 ) = l where k; l 2 Z. We dene x 0 i on [bt jc; bt j+1 c] by linear interpolation between x 0 i(bt j c) = k and x 0 i(bt j+1 c) = l (Fig. 4). Then _x 0 i 2 [L; ].

6 being x(t i ) before the transition, and x(t 0 i ) after the transition. In Fig. 2, x is dened on [0; 4:8]; [4:8; 4:8]; [4:8; 10], and it makes two successive transitions at time 4:8. We associate a language L(H) with our hybrid automaton. Given 2 6!, we say 2 L(H) provided there is a sequence of edges < l 0 ; l 1 ; 0 ; 0 ; 0 > < l 1 ; l 2 ; 1 ; 1 ; 1 > where l 0 2 I and < D(l 0 ); 0 ; 0 >< D(l 1 ); 1 ; 1 > is consistent. We say < D(l 0 ); 0 ; 0 >< D(l 1 ); 1 ; 1 > is consistent when there is a trajectory x for which this sequence of transitions is feasible. Denition 1. A sequence < D(l 0 ); 0 ; 0 >< D(l 1 ); 1 ; 1 > : : : is continuoustime consistent provided there is a multiple-valued function x : IR +! IR n and a sequence of intervals [0; T 0 ]; [T0; 0 T 1 ]; [T1; 0 T 2 ] : : : with Ti 0 = T i such that 1) x(0) = 0 2) x(t i ) 2 i 3) x(ti 0) 2 i[x(t i )] 4) For Ti 0 < T i+1, _x(t) 2 D(l i ) for t 2 [Ti 0; T i+1] We similarly dene the hybrid system which operates in discrete time according to a dierence equation. Dene 1 1 = LCMfL i; i jd i (l) = [L i ; i ] for l 2 L and 1 i ng where LCM is the least common multiple of the set. For the example in Fig. 1, = LCMf1; 2; 3; 4g = Denition 2. A sequence < D(l 0 ); 0 ; 0 >< D(l 1 ); 1 ; 1 > : : : is discrete-time consistent provided there is a multiple-valued function x : ( Z + 1)! ( Z1) n and a sequence of intervals [0; T 0 ]; [T0; 0 T 1 ]; [T1; 0 T 2 ] : : : where T i 2 ( Z + 1) and Ti 0 = T i such that 1) x(0) = 0 2) x(t i ) 2 i 3) x(ti 0) 2 ( i[x(t i ))]) 1 (i.e., for ( i ) j = [a; b]; x j (Ti 0) 2 [a; b] 1, and for ( i ) j = id; x j (Ti 0) = x j(t i ) ) 4) For Ti 0 < T i+1, x j ((n+1)1)0x j (n1) 2 D(l i ) j 1 for Ti 0 n1; (n+1)1 T i+1 We call H C the hybrid system which operates in continuous time and H D the system which operates in discrete time. For 2 L(H C ), there is a sequence < D(l 0 ); 0 ; 0 >< D(l 1 ); 1 ; 1 > : : : which is continuous-time consistent. Similarly for 2 L(H D ), there is a sequence < D(l 0 ); 0 ; 0 >< D(l 1 ); 1 ; 1 > : : : which is discrete-time consistent. 3 Decidability Results Our main result is that L(H C ) is a regular language. To prove this, we follow an approach similar to [8, 15]. We rst show that L(H C ) = L(H D ) and then prove that L(H D ) is regular.

7 x=0 y=0 dy A ε [1,3] ε [-3,-2] (a,(x<=0)(y=1)) dy B ε [1,3] ε [1,2] (a,(x=4)(y<=-3)) (b,(x=-2)(y<=2)) C ε [-4,-2] dy ε [-3,-2] (b,(y=-4)) D ε [-4,-2] dy ε [1,2] (a,(x<=2)(y=>-5)) (b,(y=-3)) E ε [-4,-2] dy ε [-3,-2] (a,(x=>0)(y<=-6)) Initialize y ε [-5,-6] F ε [-4,-2] dy ε [2,3] Fig. 1. Hybrid Automata with Rectangular Dierential Inclusions x t Fig. 2. Sample Trajectory

8 Enabling Conditions Enabling conditions will be associated with edges between locations in the hybrid automaton. Similar to [2],we dene 8 inductively to be the set of all enabling conditions: := x i cjx i cj 1 ^ 2 j 1 _ 2 where c 2 Z. Enabling conditions are closed subsets of IR n. Setting the Initial State During a transition, some components of the state may be initialized to a new value. We associate an initialization relation = ( 1 ; 1 1 1; n ) with an edge where i = [l i ; u i ] or i = id, and l i ; u i 2 Z. When i = id (the identity relation), the value of x i does not change during the transiton. But for i = [l i ; u i ], x i is initialized non-deterministically to a value in [l i ; u i ]. For x 2 IR n, dene [x] = fx 0 2 IR n jx 0 i = x i for i = id, and x 0 i 2 [l i; u i ] for i = [l i ; u i ]g. We dene S to be the set of all initialization relations. 2.2 Syntax A hybrid automaton H = (L; 6; D; I; ) where L is a nite set of locations, 6 is a nite set of events, D : L! B associates a dierential inclusion with each location, I L is a set of initial locations, and L 2 L S are the edge labels ( (l; l 0 ; ; ; ) 2 labels edge (l; l 0 ) with event, enabling condition, and initialization relation ). We further require that the dierential inclusion for x i is changed only when x i is initialized. That is, for edge label (l; l 0 ; ; ; ), d = D(l), d 0 = D(l 0 ), d i = d 0 i when i = id. Fig. 1 is an example of the kind of hybrid automaton we consider in this paper. Note that the dierential inclusion for y is changed when making the transition from location C to location D because y is equal to 04 at the transition. That is the same as checking y is equal to 04, followed by initializing y to 04. However, the dierential inclusion for x cannot change when going from location C to location D. 2.3 Semantics The hybrid automaton starts at an initial location with state x = 0. At location l, the state x moves according to the dierential inclusion D(l). It can make a transition from location l to location l 0 with edge label (l; l 0 ; ; ; ) provided x 2. After the transition, the state is x 0 2 [x] and the new dierential inclusion is D(l 0 ). The state trajectory x moves in two phase steps [14]. In the rst phase, time progresses and x changes continuously. In the second phase, a sequence of transitions is made instantaneously (Fig. 2). Formally, x is a multiple-valued function. It is dened on [0; T 0 ]; [T0; 0 T 1 ]; [T1; 0 T 2 ] : : : with Ti 0 = T i. For Ti 0 < T i+1, x is dierentiable on [Ti 0 ; T i+1 ]. A transition is made at time T i, with the state

9 [L i ; i ]). These are also called Bounded-Rate Automata in [4]. A transition from one location to another can be made provided the state satises the enabling condition for the transition. A transition to a new location with dierent differential inclusion can be made only when x i is an integer value or when x i is initialized. During the transition, the state can be initialized to a new value. We show that under these conditions, interesting verication problems for the hybrid system are decidable. In particular, we show that the languages generated by our hybrid automata are regular. Our model does not include integration graphs [10], since we permit the dierential inclusion for x i to change only when x i is initialized, or when x i is an integer. Systems with clocks [6, 2, 3, 9, 8, 15], where _x i = 1, are special cases of the hybrid systems we consider. With our approach, systems with unsynchronized or drifting clocks can be modeled, systems with dierential equations can be abstracted by breaking the state space into regions with constant dierential inclusions [16], and it follows that for many hybrid system examples [1, 13], there is a decision procedure that will terminate. In Sect. 2, we introduce the sub-class of hybrid systems. In Sect. 3, we present the decidability results. 2 Hybrid Automata 2.1 Preliminaries Notation IR is the set of reals and Z is the set of integers. IR + is the set of non-negative reals and Z + is the set of non-negative integers. For X Z, dene X1 = fk1jk 2 Xg. For an interval [a; b], where a; b 2 Z and Z+, dene [a; b] 1 = fa; a + 1; : : :; bg. For x 2 IR, dene bxc 1 = k1 where k is the largest integer for which k1 x. In this paper, we always take the oor with respect to 1, so we write bxc instead of bxc 1. Dierential Inclusion A dierential equation is _x = f(x) where x 2 IR n and f : IR n! IR n. A solution to the dierential equation with initial condition x 0 2 IR n is any dierentiable function (t), where : IR +! IR n such that (0) = x 0 and (t) _ = f((t)). A dierential inclusion is written as _x 2 f(x) where x 2 IR n and f is a setvalued map from IR n to IR n (i.e., f(x) IR n ). A solution to the dierential inclusion with initial condition x 0 2 IR n is any dierentiable function (t), where : IR +! IR n such that (0) = x 0 and _ (t) 2 f((t)). A dierential equation with a given initial condition has a unique solution (under Lipshitz conditions), whereas a dierential inclusion has a family of solutions. In this paper we consider constant dierential inclusions _x 2, = [L 1 ; 1 ] [L n ; n ] where L i ; i 2 Z (i.e., _x i 2 [L i ; i ]). We dene B to be the set of all such constant dierential inclusions.

10 Decidability of Hybrid Systems with Rectangular Dierential Inclusions? Anuj Puri and Pravin Varaiya Department of Electrical Engineering and Computer Science, niversity of California, Berkeley, CA Abstract. A hybrid system is modeled with a nite set of locations and a dierential inclusion associated with each location. We discuss a subclass of hybrid systems with constant rectangular dierential inclusions. The continuous state of the system is x 2 IR n with x i evolving with dierential inclusion _x i 2 [L i; i] where L i; i are integers (i.e., the slope of trajectory of x i could be changing, but is restricted to remain within [L i; i]). A transition from one location to another can be made provided the state satises the enabling condition for the transition. The state can also be initialized to a new value during the transition. The dierential inclusion for x i can be changed when x i is an integer or when x i is initialized to a new value. We show that the verication problem for this class of hybrid systems is decidable. With this approach, systems with unsynchronized and drifting clocks can be modeled, a general dierential equation can be abstracted by breaking the state space into regions with constant dierential inclusions, and many previously presented hybrid system examples can be veried. 1 Introduction Hybrid systems are modeled as automata with a nite set of locations and continuous state x 2 IR n. There is a dierential inclusion at each location and the edges between locations have enabling conditions [1, 12, 13, 16]. The hybrid system starts in a specied location with an initial condition x 0 2 IR n. The continuous trajectory evolves according to the dierential inclusion associated with that location. At some time t, x(t) satises the enabling condition for a transition and a jump is made to a new location. The state x could be initialized to a new value during the jump. At the new location, x begins evolving according to the dierential inclusion associated with that location. After some time, another transition is made, and so on. In this paper, we study hybrid systems with constant dierential inclusions of the form [L 1 ; 1 ] [L n ; n ] where L i ; i are integers. The continuous state of the system, x 2 IR n, evolves according to _x i 2 [L i ; i ]; i = 1; ; n (i.e., the slope of trajectory x i could be changing but is restricted to remain within? Research supported by NSF under grants ECS and IRI , and by the PATH program, niversity of California, Berkeley